b"                                    SOCIAL SECURITY\nMEMORANDUM\n\nDate:   May 17, 2012                                                   Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: The Social Security Administration's Software Modernization and Use of Common\n        Business Oriented Language (A-14-11-11132)\n\n\n        The attached final report presents the results of our audit. Our objective was to\n        determine whether the Social Security Administration has a strategic plan to convert its\n        legacy application programs to a more modernized programming language. We define\n        a strategic plan as a documented plan or roadmap that explains how the Agency\xe2\x80\x99s\n        information technology modernization efforts will include a conversion from its legacy\n        application programs to a more modernized programming language.\n\n        Please provide within 60 days a corrective action plan that addresses each\n        recommendation. If you wish to discuss the final report, please call me or have your\n        staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n        (410) 965-9700.\n\n\n\n\n                                                 Patrick P. O\xe2\x80\x99Carroll, Jr.\n        Attachment\n\x0c            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\nTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n SOFTWARE MODERNIZATION AND USE OF\nCOMMON BUSINESS ORIENTED LANGUAGE\n\n\n    May 2012         A-14-11-11132\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                                       Executive Summary\nOBJECTIVE\nThe objective of our audit was to determine whether the Social Security Administration\n(SSA) has a strategic plan to convert its legacy application programs to a more\nmodernized programming language. We define a strategic plan as a document that\nexplains how the Agency\xe2\x80\x99s information technology (IT) modernization efforts will include\na conversion from its legacy application programs to a more modernized programming\nlanguage.\n\nBACKGROUND\nThe need for long-term IT planning has been a major concern for SSA for many years.\nIn 1982, SSA announced its Systems Modernization Plan (SMP)1 to restructure and\nextensively upgrade its data-handling systems. The Agency told Congress that, without\nthis major upgrade, there might be a serious disruption of its services, which are\nessential to the welfare of millions of Americans.\n\nSSA\xe2\x80\x99s IT environment includes hundreds of applications and an array of technologies.\nWhile the Agency has increased its use of more modern programming languages in its\napplications, it relies on legacy applications programmed with Common Business\nOriented Language (COBOL) to process its core workloads, such as retirement and\ndisability claims. As of June 2010, SSA had over 60 million lines of COBOL code.\n\nIn April 2009, the Social Security Advisory Board (SSAB) stated that the Agency should\ndevelop a comprehensive systems modernization plan and a strategic vision beyond\n2020.2 A March 2011 SSAB report stated that transforming the Agency\xe2\x80\x99s current\nsystems infrastructure into a modern technology platform required a more aggressive\nand strategic systems modernization plan.3 The report also stated that the lack of a\nlonger range vision results in planning that is piecemeal, crisis directed, and ultimately\nmore costly.4 Furthermore, the Future Systems Technology Advisory Panel\nrecommended that SSA consider developing a comprehensive Agency-wide strategic\nsystems development roadmap, including a high-level view of a realistic future state and\na plan to achieve this vision.5\n\n\n1\n  In 1982, SSA announced a 5-year plan to modernize its information systems. The SMP was a\nmultimillion-dollar response to serious problems that had developed during the 1970s and that repeatedly\nthreatened to disrupt SSA\xe2\x80\x99s service delivery operations.\n2\n    SSAB, Bridging the Gap: Improving SSA\xe2\x80\x99s Public Service Through Technology, April 2009.\n3\n    SSAB, A Vision of the Future for the Social Security Administration, March 2011.\n4\n    Id.\n5\n    Future Systems Technology Advisory Panel, Legacy Systems Conversion Report, May 2010.\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                          i\n\x0cRESULTS OF REVIEW\nOur review determined that SSA does not have a strategic plan to convert its legacy\nCOBOL application programs to a more modernized programming language.\nNonetheless, the Agency has developed an approach to gradually reduce its reliance on\nCOBOL for its core processing of program transactions, such as retirement and\ndisability claims. Although there is no specific Federal requirement for agencies to\nmodernize their legacy applications, there is Federal guidance that requires that\nagencies include IT modernization as part of their enterprise architecture process.\n\nWhile the Agency has moved forward in modernizing its IT environment,6 several factors\nlimit the Agency\xe2\x80\x99s ability to operate efficiently and improve service delivery. At a\nminimum, SSA should address the following factors in its modernization roadmap:\n(1) projected future service delivery demands; (2) growth of IT and maintenance costs;\n(3) loss of institutional legacy programming knowledge; (4) lack of integrated business\nprocesses; and (5) outdated user interfaces. Although these factors are not unique to\nCOBOL, SSA relies on COBOL applications to deliver its core services. Therefore, the\nAgency\xe2\x80\x99s use of COBOL impacts its current system environment and its system\nmodernization path.\n\nWe note that Agency management expressed concerns about the emphasis of COBOL\nin the body of this report and the lack of emphasis on COBOL in the conclusion and\nrecommendations. We acknowledge the concerns we raise are not unique to COBOL,\nbut addressing these concerns needs to be a priority in any of the Agency\xe2\x80\x99s system\nmodernization efforts.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA does not have a strategic plan to convert its legacy application programs to a more\nmodernized programming language. Also, SSA\xe2\x80\x99s human capital plan does not\nadequately provide for continuity of trained COBOL programmers. The Agency has\ndeveloped an approach to gradually reduce its reliance on COBOL for its core\nprocessing of program transactions, such as retirement and disability claims. However,\nwe could not determine whether this approach has resulted in any efficiencies or cost\nsavings. We believe the Agency\xe2\x80\x99s approach has been tactical, rather than strategic,\nand more needs to be done to develop a strategic roadmap for modernizing its legacy\napplications.\n\nIn an environment in which workloads are growing and budgets are constrained, a long-\nterm roadmap to modernize SSA\xe2\x80\x99s legacy applications is needed to address\nmodernization needs, set accountability standards, and position the Agency to meet\nfuture service delivery challenges. We believe such planning would assist SSA in using\n\n\n6\n SSA has adopted Java as a standard for new development projects. Java is a programming language\nused especially to create interactive applications running over the Internet.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                      ii\n\x0cits resources more effectively and efficiently and meeting projected service delivery\ndemands.\n\nWe recommend that SSA:\n\n\xef\x82\xb7   Develop a comprehensive, long-term strategic plan to modernize SSA\xe2\x80\x99s legacy\n    applications. This plan should\n\n    \xef\x83\xbc include a target timeframe and estimated resources to modernize SSA\xe2\x80\x99s existing\n      environment;\n    \xef\x83\xbc include an in-depth analysis of projected service delivery demands and how new\n      approaches and technology can promote greater productivity while meeting\n      customer expectations for service;\n    \xef\x83\xbc position the Agency to maximize the effectiveness and cost-efficiency of its\n      systems over the long-term; and\n    \xef\x83\xbc be reevaluated over time and revised as necessary.\n\n\xef\x82\xb7   Ensure its human capital plan addresses the loss of COBOL programmers and\n    identifies how to maintain COBOL expertise and institutional knowledge transfers to\n    new programmers.\n\nAGENCY COMMENTS\nSSA agreed with our first recommendation. However, the Agency disagreed with our\nsecond recommendation, stating it already conducts thorough workforce planning. SSA\nfurther stated that when, and if, COBOL programming skills appear in its analyses as a\nlegitimate risk, it will articulate appropriate remediation in its Human Capital Plan. The\nfull text of the Agency\xe2\x80\x99s comments is included in Appendix D.\n\nOIG RESPONSE\nThe Agency\xe2\x80\x99s COBOL applications process SSA\xe2\x80\x99s core workloads and have increased\nin complexity over time. Although SSA stated it does not project any shortfalls in\nCOBOL skills, we reiterate our concern that legacy system programmer retirements and\ninsufficient system documentation will increase the Agency\xe2\x80\x99s mission risk.\nConsequently, SSA should ensure its human capital plan addresses the loss of COBOL\nprogrammers and identifies how to maintain COBOL expertise and institutional\nknowledge transfers to new programmers.\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                           iii\n\x0c                                                                          Table of Contents\n                                                                                                                     Page\n\nINTRODUCTION .....................................................................................................1\n\nRESULTS OF REVIEW ..........................................................................................6\n\nThe Social Security Administration\xe2\x80\x99s Current Approach to Modernizing Its\nApplications .............................................................................................................7\n\nFactors the Social Security Administration Needs to Consider as it\nDevelops a Systems Modernization Roadmap ........................................................ 9\n\n     \xef\x82\xb7    Projected Future Service Delivery Demands .............................................. 10\n\n     \xef\x82\xb7    Growth of Information Technology and Maintenance Costs ....................... 10\n\n     \xef\x82\xb7    Loss of Institutional Legacy Programming Knowledge ............................... 12\n\n     \xef\x82\xb7    Lack of Integrated Business Processes ...................................................... 14\n\n     \xef\x82\xb7    Outdated User Interfaces ........................................................................... 15\n\nThe Social Security Administration Does Not Have a Strategic Plan to\nConvert Its Legacy Application Programs to a More Modernized\nProgramming Language ........................................................................................ 15\n\nCONCLUSIONS AND RECOMMENDATIONS ..................................................... 18\n\nAPPENDICES\n\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Who Uses Common Business Oriented Language?\n\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\n\nSSA\xe2\x80\x99s Software Modernization and Use of COBOL (A-14-11-11132)\n\x0c                                                                          Introduction\nOBJECTIVE\nThe objective of our audit was to determine whether the Social Security Administration\n(SSA) has a strategic plan to convert its legacy application programs to a more\nmodernized programming language. We define a strategic plan as a document that\nexplains how the Agency\xe2\x80\x99s information technology (IT) modernization efforts will include\na conversion from its legacy application programs to a more modernized programming\nlanguage.\n\nBACKGROUND\nThe need for long-term IT planning has been a major concern for SSA for a number of\nyears. In 1982, SSA announced its Systems Modernization Plan (SMP)1 to restructure\nand extensively upgrade its data-handling systems. The Agency told Congress that,\nwithout this major upgrade, there might be serious disruption of its services, which are\nessential to the welfare of millions of Americans. At the time, the SMP was one of the\nmost expensive civilian information projects ever undertaken.\n\nSSA\xe2\x80\x99s IT environment includes hundreds of applications and an array of technologies.\nWhile the Agency has increased its use of more modern programming languages in its\napplications, it relies on legacy applications programmed with Common Business\nOriented Language (COBOL) to process its core workloads, such as retirement and\ndisability claims.\n\nIntroduced in 1959, COBOL became the first widely used, high-level programming\nlanguage for business applications. According to a Gartner Consulting assessment,\nSSA\xe2\x80\x99s COBOL applications have enabled the Agency to support large transaction\nvolumes and meet complex regulatory, benefit, and reporting environments.2 As of\nJune 2010, SSA had over 60 million lines of COBOL code.\n\nDIVERGENT VIEWS OF COBOL\n\nIn a 2007 report,3 the National Research Council of the National Academies stated that\nnewer programming languages offered greater capabilities than COBOL. The report\n\n1\n  In 1982, SSA announced a 5-year plan to modernize its information systems. The SMP was a\nmultimillion-dollar response to serious problems that had developed during the 1970s and that repeatedly\nthreatened to disrupt SSA\xe2\x80\x99s service delivery operations.\n2\n Gartner Consulting, Social Security Administration, Strategic Role of COBOL: Executive Briefing,\nAugust 1, 2002.\n3\n National Research Council of the National Academies, Social Security Administration Electronic Service\nProvision, A Strategic Assessment, August 2007.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                          1\n\x0calso concluded that applications written in COBOL are more cumbersome to maintain.4\nMoreover, a 2009 Social Security Advisory Board (SSAB) report5 stated that the\ncomputer industry generally viewed COBOL as obsolete, and the language lacked\nindustry support. Additionally, Congress has expressed concern over SSA\xe2\x80\x99s use of\nCOBOL and the length of time the Agency requires to replace it.6\n\nOn the other hand, other reports have indicated that COBOL remains in widespread\nuse. A November 2008 Datamonitor white paper7 reported that 75 percent of business\ndata and 90 percent of financial transactions are processed in COBOL. Moreover, a\nHarris Interactive May 20098 survey found that the average American relies on COBOL\nat least 13 times a day for such activities as cellular telephone calls, credit card\ntransactions, and travel reservations. Moreover, IT executives from six of the largest\ninsurance and financial organizations stated COBOL remains in use in their industries.\nFor more information on COBOL\xe2\x80\x99s use in the public and private sectors, see\nAppendix B.\n\nASSESSMENT OF PRIOR MODERNIZATION EFFORTS\n\nPrior Congressional Concern on Modernization Efforts\n\nAs previously mentioned, in 1982, SSA announced its SMP to restructure and\nextensively upgrade its IT systems. In 1986, the Office of Technology Assessment\n(OTA)9 issued a special report, The Social Security Administration and Information\nTechnology. The report concluded that although SSA had made significant progress\ntoward achieving the goals of its SMP in many areas, the Agency had fallen behind in\nother areas. The OTA stated,\n          . . . the greatest management failure at SSA was lack of planning and advanced\n          development. Professional competence in computer technology was scarce and\n          had to be devoted to solving immediate operational problems; the budget did not\n          provide adequate resources for long-term systems development; top-level executive\n          officers, who were not technologically sophisticated, did not insist on its importance;\n          and political decisionmakers did not want to encourage demands.\n\n4\n    Id.\n5\n    SSAB, Bridging the Gap: Improving SSA\xe2\x80\x99s Public Service Through Technology, April 2009.\n6\n Clearing the Disability Claims Backlogs: The Social Security Administration\xe2\x80\x99s Progress and New\nChallenges Arising from the Recession: Hearing Before House Committee on Ways and Means\n(Subcommittee on Social Security), 111th Cong. 111-38 (2009) (statement by Congressman\nSam Johnson).\n7\n    Datamonitor, COBOL \xe2\x80\x93 Continuing to Drive Value in the 21st Century, November 2008.\n8\n    The survey was commissioned by Micro Focus and conducted by Harris Interactive.\n9\n  The Technology Assessment Act of 1972, Public Law 92-484, October 13, 1972, established the OTA\nfor the Congress as an aid in the identification and consideration of existing and probable impacts of\ntechnological application; to amend the National Science Foundation Act of 1950; and for other purposes.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                          2\n\x0cPrevious Studies on COBOL Modernization Efforts\n\nSSA commissioned studies to assess the viability of COBOL to support its critical\nsystems. In August 2002, Gartner Consulting stated that while COBOL was not a dead\nor dying language, newer programming languages enabled easier modifications.10\nGartner also concluded that newer technology performs best with newer programming\nlanguages.11 Gartner further noted challenges to supporting COBOL in the future and\nrecommended that the Agency restructure its COBOL applications to better support\nfuture systems development.12\n\nIn February 2005, Lockheed Martin (LM) recommended that the Agency position itself\nfor a COBOL migration and develop an assessment/migration plan.13 LM estimated it\nwould take 10 to 15 years and significant re-engineering to develop SSA\xe2\x80\x99s COBOL\napplications in another programming language.14\n\nGUIDANCE FOR STRATEGIC PLANNING\n\nSSAB Recommendation\n\nIn April 2009, SSAB recommended that the Agency develop a comprehensive systems\nmodernization plan and a strategic vision beyond 2020.15 A March 2011 SSAB report\nstated that transforming the Agency\xe2\x80\x99s current systems infrastructure into a modern\ntechnology platform required a more aggressive and strategic systems modernization\nplan.16 The report also stated that the lack of a longer range vision results in planning\nthat is piecemeal, crisis-directed, and ultimately more costly.17 Furthermore, the Future\nSystems Technology Advisory Panel (FSTAP) recommended that SSA consider\ndeveloping a comprehensive Agency-wide strategic systems development roadmap,\nincluding a high-level view of a realistic future state and a plan to achieve this vision.18\n\n\n\n\n10\n     See Footnote 2.\n11\n     Id.\n12\n     Id.\n13\n     LM, Social Security Administration, COBOL Strategic Fit Analysis, February 18, 2005.\n14\n     Id.\n15\n     See Footnote 5.\n16\n     SSAB, A Vision of the Future for the Social Security Administration, March 2011.\n17\n     Id.\n18\n     FSTAP, Legacy Systems Conversion Report, May 2010.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                  3\n\x0cFederal Guidance\n\nOffice of Management and Budget (OMB) Circular A-130 requires that Federal agencies\nestablish and maintain a capital planning and investment control process that effectively\nand efficiently links mission needs, information, and IT.19 The process requires a\nstrategic plan to address comprehensive agency information resources management\n(IRM).20 Federal agencies must develop, maintain, and facilitate the implementation of\na sound, secure, and integrated framework to evolve or maintain existing IT and acquire\nnew IT to achieve the agency\xe2\x80\x99s strategic and IRM goals.21 Specifically, OMB\nCircular A-130 requires that agencies use or create an enterprise architecture (EA)\nframework to guide strategic IRM planning.22\n\nAn EA focuses on agency strategy, program performance improvements, and IT\ninvestments.23 Agencies are expected to use the EA to drive performance\nimprovements to save money and avoid cost through collaboration, reuse, productivity\nenhancements, and elimination of redundancy.24 The EA must\n\n\xef\x82\xb7      describe the agency\xe2\x80\x99s current and target architectures;\n\xef\x82\xb7      provide a strategy to support the agency\xe2\x80\x99s current state; and\n\xef\x82\xb7      act as a roadmap for transition to its target environment.25\n\nAlthough there is no specific Federal guidance requiring that agencies modernize their\nlegacy applications, IT modernization is part of the EA process.26 The Chief Information\nOfficer (CIO) Council\xe2\x80\x99s guide on EA states, \xe2\x80\x9cThe enterprise life cycle is the dynamic,\niterative process of changing the enterprise over time by incorporating new business\nprocesses, new technology, and new capabilities, as well as maintenance and\ndisposition of existing elements of the enterprise.\xe2\x80\x9d27 The EA, when coupled with\nfeedback from oversight authorities, such as Congress and the Advisory board,\n\n\n19\n  OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources,\n8.b (1) (November 28, 2000).\n20\n     Id at 8.b (1)(a).\n21\n     The Clinger-Cohen Act of 1996, Pub. L. No. 104-106, \xc2\xa7\xc2\xa7 5125(b)(2) and (d), 40 U.S.C. \xc2\xa7 11315(b)(2).\n22\n     OMB, A-130, supra at 8.b (2)(b).\n23\n  OMB, Improving Agency Performance Using Information and Information Technology (Enterprise\nArchitecture Assessment Framework v3.1), June 2009, p. 4.\n24\n     Id at p. 1.\n25\n     OMB, A-130, supra at 8.b (2)(a).\n26\n     CIO Council, A Practical Guide to Federal Enterprise Architecture, February 2001.\n27\n     Id at p. 8.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                              4\n\x0cprovides a framework for the expected level of due diligence that should be given to IT\nplanning.\n\nRELEVANCE TO CUSTOMER SERVICE\n\nSSA\xe2\x80\x99s November 2010 Retirement Wave Report28 states that the Agency faces many\ndaunting challenges. A surge in workloads due to the recession has driven an extra\n1 million economically distressed workers and families to turn to SSA for help.\nAdditionally, American baby boomers are aging and filing a flood of retirement and\ndisability claims. Moreover, 23.4 percent of SSA\xe2\x80\x99s employees is eligible to retire. SSA\nhas primarily administered its services to the public through face-to-face or telephone\ncontact. In FY 2010, SSA received approximately 45 million visitors in its field offices\nand handled almost 68 million transactions via the national 800-number.29 We believe\nthat without proper long-term IT modernization planning, the Agency may incur a\nserious disruption of its services, which are essential to the welfare of millions of\nAmericans.\n\nSCOPE AND METHODOLOGY\nWe reviewed SSA\xe2\x80\x99s responses to our inquiries about its application modernization\nefforts, IRM Strategic Plan,30 and EA Transition Strategy.31 We also researched\nFederal requirements for strategic planning32 and COBOL\xe2\x80\x99s use by other Federal\nagencies and large companies with business processes similar to SSA\xe2\x80\x99s. Further, we\nreviewed various third-party assessments related to SSA\xe2\x80\x99s COBOL and IT\nmodernization. For additional scope and methodology, see Appendix C.\n\n\n\n\n28\n SSA, Social Security Administration Mission Critical Occupation Fiscal Years 2010-2019, Retirement\nWave Report, November 2010.\n29\n     SSA, SSA\xe2\x80\x99s FY 2010 Performance and Accountability Report, p. 12.\n30\n     SSA, Information Resources Management Strategic Plan, Fiscal Year 2007.\n31\n     SSA, Enterprise Architecture Transition Strategy for 2011 Through 2016.\n32\n     See the above section, Guidance for Strategic Planning.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                         5\n\x0c                                                        Results of Review\nOur review has determined that SSA does not have a strategic plan to convert its legacy\napplication programs to a more modernized programming language. Nonetheless, the\nAgency has developed an approach to gradually reduce its reliance on COBOL for its\ncore processing of program transactions, such as retirement and disability claims.\nAlthough there is no specific Federal requirement for agencies to modernize their\nlegacy applications, there is Federal guidance that requires that agencies include IT\nmodernization as part of an agency\xe2\x80\x99s EA process. We believe more needs to be done\nto develop a documented, comprehensive roadmap to modernize the Agency\xe2\x80\x99s legacy\napplications, including a target schedule and resource estimates.\n\nWhile the Agency has moved forward in modernizing its IT environment,33 several\nfactors limit the Agency\xe2\x80\x99s ability to operate efficiently and improve service delivery. At a\nminimum, SSA should address the following factors in its modernization roadmap:\n(1) projected future service delivery demands; (2) growth of IT and maintenance costs;\n(3) loss of institutional legacy programming knowledge; (4) lack of integrated business\nprocesses; and (5) outdated user interfaces. Although these factors are not unique to\nCOBOL, SSA relies on COBOL applications to deliver its core services. Therefore, the\nAgency\xe2\x80\x99s use of COBOL impacts its current system environment and its system\nmodernization path.\n\nSSA data indicate that during the past decade, the Agency\xe2\x80\x99s annual IT spending has\nincreased from $14 to $22 per beneficiary. In addition, total system maintenance\ncosts34 increased in 2008 constant dollars from $89 million in FY 2008 to $104 million in\nFY 2010 (an increase of nearly 17 percent). Based on current trends\xe2\x94\x80without proper IT\nstrategy\xe2\x94\x80the costs of resources required to maintain SSA\xe2\x80\x99s IT operations will likely\ncontinue increasing.\n\nAlthough SSA has indicated that legacy application modernization will ultimately reduce\noperating costs and improve service delivery, we could not determine whether the\nAgency\xe2\x80\x99s modernization approach was achieving the intended efficiencies. According\nto a former senior Agency official, SSA\xe2\x80\x99s level of funding will not allow the Agency to\nundertake the major modernizations necessary to deliver robust services via telephone\ncalls, office visits, and the Internet.35\n\n\n\n\n33\n  SSA has adopted Java as a standard for new development projects. Java is a programming language\nused especially to create interactive applications running over the Internet.\n34\n  The Agency defined maintenance as those activities required to keep a software and/or hardware\nsystem operational after implementation.\n35\n  National Council of Social Security Management Associations (NCSSMA), Frontline, Issue 32,\nJune 2010, p. 7.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                       6\n\x0cWe note that Agency management expressed concerns about the emphasis of COBOL\nin the body of this report and the lack of emphasis on COBOL in the conclusion and\nrecommendations. As previously stated, COBOL plays an integral part of the Agency\xe2\x80\x99s\ncurrent systems environment. Since the report reflects the current environment, it\ninherently references COBOL since COBOL provides the backbone for data processing\nat SSA. We acknowledge the concerns we raise are not unique to COBOL, but\naddressing these concerns needs to be a priority in any of the Agency\xe2\x80\x99s system\nmodernization efforts.\n\nSSA\xe2\x80\x99S CURRENT APPROACH TO MODERNIZING ITS APPLICATIONS\nThe Agency\xe2\x80\x99s approach for modernizing its applications consists of four major\nfeatures.36\n\n\xef\x82\xb7    SSA has chosen a gradual and opportunistic approach to balance modernization\n     with other business needs. Each year, the Agency prioritizes its IT projects and\n     directs new software development based on available resources. SSA stated that\n     as this planning process directs new application development, it will use more\n     modern languages. For FYs 2011 through 2015, SSA has identified 14 COBOL\n     modernization projects, including the Disability Case Processing and Cost Analysis\n     Systems.37 The Agency\xe2\x80\x99s budget, business priorities, and changing legislation affect\n     the speed and focus of SSA\xe2\x80\x99s IT modernization efforts.\n\n\xef\x82\xb7    SSA has adopted Java as a standard for new development projects. During the last\n     decade, SSA has increased its use of Java to build new applications and modernize\n     core COBOL applications with new interfaces, integration points, and business\n     processes. Figure 1 shows that while 439 of SSA\xe2\x80\x99s applications contain COBOL,\n     186 applications contain Java (86 of those 186 applications include both COBOL\n     and Java in the same application).\n\n\n\n\n36\n  We determined SSA\xe2\x80\x99s application modernization approach through the Agency\xe2\x80\x99s responses to our\ninquiries, including the SSA document provided by the Office of Systems on April 5, 2011, Modernizing\nSSA\xe2\x80\x99s Programmatic Application Portfolio & the Associated Technologies.\n37\n   The Disability Case Processing System is an SSA initiative to build a common system that all State and\nFederal components can use to process disability determinations. SSA\xe2\x80\x99s Cost Analysis System is used to\nallocate (1) administrative costs to SSA-administered Trust and general fund programs and\n(2) reimbursable work SSA performed for outside organizations.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                           7\n\x0c     Figure 1: Number of SSA COBOL and Java Applications as of November 2011\n\n                                             COBOL\n                                                          Java\n\n                                               353     86    100\n\n\n\n\n       According to Agency officials, Java represents an increasingly larger percentage of\n       its overall code base, and they plan to use Java opportunistically to build new core\n       online applications and reduce use of COBOL. 38 However, the Agency plans to use\n       COBOL for batch processing until Java or other technologies prove capable of\n       performing the task with the same reliability, scalability, and throughput. 39 SSA\n       stated that COBOL will continue to be a valuable technology for the foreseeable\n       future.\n\n\xef\x82\xb7      SSA does not perform straight conversions of COBOL application code to a more\n       modern programming language. The Agency stated that such conversions would\n       carry over the same processes as the original code, including any business process\n       inefficiencies and programming challenges. Therefore, SSA stated it transitions into\n       Java as the business need arises to redevelop COBOL applications. For example,\n       the Agency determined it could improve policy compliance by redeveloping its\n       enumeration40 application. By building the new application using mostly Java code,\n       SSA not only addressed policy compliance but modernized the application\xe2\x80\x99s\n       interface from a COBOL-based \xe2\x80\x9cgreen screen\xe2\x80\x9d41 to a more familiar and easier-to-use\n       Web-based interface.\n\n\xef\x82\xb7      SSA uses Application Portfolio Management (APM) to determine the health of its\n       applications. SSA\xe2\x80\x99s APM process gathers data about Agency-developed\n       applications, including programming languages and release frequencies. SSA\n       stated that based on these data, the Agency assesses its application portfolio\n       annually and uses the assessment for its IT planning. For FY 2012, the Deputy\n       Commissioner for Systems identified four priority projects based on the APM\n       process; one of these projects relates to COBOL modernization.\n\n\n38\n Forrester Consulting, Assessment of the Social Security Administration\xe2\x80\x99s Use of COBOL and\nMainframes, February 2011, p. 11.\n39\n     Id.\n40\n  Enumeration refers to the assignment of original Social Security numbers and the issuance of\nreplacement cards to those persons who request and are entitled to receive them.\n41\n     \xe2\x80\x9cGreen screen\xe2\x80\x9d refers to the display of green characters on a dark background.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                    8\n\x0cThe Agency also indicated that it has developed a service-oriented architecture to reuse\nexisting software rather than recreate it. According to the Federal Chief Information\nOfficers Council, adoption of a service-oriented architecture will improve Government\nresponsiveness, simplify service delivery, and increase efficiency.42\n\nDuring our audit period, Forrester Consulting completed an SSA-commissioned\nassessment of the Agency\xe2\x80\x99s use of COBOL.43 Forrester found that large organizations\nwith workload characteristics similar to SSA had no plans to eliminate their use of\nCOBOL.44 Furthermore, these organizations indicated that they have been able to\nenhance their use of COBOL systems by using Java in conjunction with them.\nHowever, Forrester recommended that SSA take an evolutionary approach to\nmodernization by replacing COBOL applications that no longer meet its business needs.\nThe report also recommended that the Agency use Java for modern workloads like\nInternet applications but continue using COBOL for its high-volume core processing of\ntransactions until Java\xe2\x80\x99s ability proves capable. It should be noted that SSA\xe2\x80\x99s\nmodernization approach is consistent with Forrester\xe2\x80\x99s recommendations.\n\nSome factors related to the Agency\xe2\x80\x99s legacy applications impact SSA\xe2\x80\x99s ability to operate\nefficiently and improve service delivery. We discuss these factors in the following\nsection.\n\nFACTORS SSA NEEDS TO CONSIDER AS IT DEVELOPS A SYSTEMS\nMODERNIZATION ROADMAP\nSSA should address the following issues as it develops a plan to modernize its systems,\nincluding its legacy applications.\n\n\xef\x82\xb7     Projected future service delivery demands\n\xef\x82\xb7     Growth of IT and maintenance costs\n\xef\x82\xb7     Loss of institutional legacy programming knowledge\n\xef\x82\xb7     Lack of integrated business processes\n\xef\x82\xb7     Outdated interfaces\n\n\n\n\n42\n  Enabling the Mission, A Practical Guide to Federal Service Oriented Architecture, Version 1.1,\nJune 30, 2008, at pp. vi through vii.\n43\n     See Footnote 38.\n44\n  We also found this to be the case during our interviews with Fortune 500 insurance companies. See\nAppendix B.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                         9\n\x0cPROJECTED FUTURE SERVICE DELIVERY DEMANDS\n\nOn April 27, 2011, the President issued an Executive Order45 requiring that Federal\nagencies develop \xe2\x80\x9c. . .a Customer Service Plan to address how the agency will provide\nservices in a manner that seeks to streamline service delivery and improve the\nexperience of its customers.\xe2\x80\x9d46 Such a plan must be a roadmap that ensures the\nAgency is technologically and structurally prepared to operate its programs in the future\nand must include a timeline and performance metrics. Because SSA\xe2\x80\x99s workload is tied\nto age-based benefits and the anticipated retirement of an increasing number of \xe2\x80\x9cbaby\nboomers\xe2\x80\x9d is relatively predictable, SSA needs to plan for meeting projected increased\nservice delivery demands with emerging technologies and automation now.\n\nGROWTH OF IT AND MAINTENANCE COSTS\n\nSSA\xe2\x80\x99s annual IT spending has increased in 2001 constant dollars from $14 to $22 per\nbeneficiary since 2001, as shown in Figure 2.47 Similarly, the Agency\xe2\x80\x99s annual IT\nspending as a percentage of benefit outlays has also risen, as shown in Figure 3.\n\n           Figure 2: SSA's Annual IT                      Figure 3: SSA's Annual IT\n          Spending per Beneficiary in                    Spending as a Percentage of\n             2001 Constant Dollars                             Benefit Outlays\n                                                   0.24%\n $24\n                                                   0.22%\n $22\n                                                   0.20%\n $20\n $18                                               0.18%\n\n $16                                               0.16%\n $14                                               0.14%\n $12                                               0.12%\n\n\n\n\n45\n     Executive Order 13571, Streamlining Service Delivery and Improving Customer Service, 76 FR 24339.\n46\n  OMB, Implementing Executive Order 13571 on Streamlining Service Delivery and Improving Customer\nService, M-11-24, June 13, 2011.\n47\n  IT spending is reported by FY, while the number of beneficiaries is reported by calendar year. Our\nanalysis included Old-Age, Survivors and Disability Insurance (OASDI) beneficiaries as well as\nSupplemental Security Income (SSI) recipients. The OASDI program provides benefits to qualified retired\nand disabled workers and their dependents, as well as survivors of insured workers. Social Security Act\n\xc2\xa7 201 et seq., 42 U.S.C. \xc2\xa7 401 et seq. The SSI program provides income to financially needy individuals\nwho are aged, blind, or disabled. Social Security Act, \xc2\xa7\xc2\xa7 1601-1637, 42 U.S.C. \xc2\xa7\xc2\xa7 1381-1383f.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                       10\n\x0cSSA\xe2\x80\x99s IT Vision states that technology has been the key to providing good service\neconomically.48 The Agency provided data that indicated its total system maintenance\ncosts49 increased in 2008 constant dollars from $89 million in FY 2008 to $104 million in\nFY 2010, an increase of nearly 17 percent. SSA staff stated the Agency is pursuing IT\nprojects to drive efficiencies and reduce costs, and that without such projects, the\nresources required to maintain SSA\xe2\x80\x99s IT operations would continue increasing.\nHowever, SSA provided no documentation that its current modernization approach\ncreated any additional efficiencies or stabilized its service delivery costs. Nor could\nSSA provide an allocation between the cost to maintain its legacy systems and its total\nIT maintenance cost. Without this information, we could not determine whether SSA\xe2\x80\x99s\ncurrent investments in IT infrastructure created any additional efficiencies or reduced\nthe cost of operations.\n\nA senior SSA official stated in a June 2010 NCSSMA publication that maintenance and\nmodification costs of older systems are expensive and consume a disproportionate\nshare of SSA\xe2\x80\x99s annual IT expenditure.50 Furthermore, Gartner indicated that because\nCOBOL programs are developed to perform one long, complex task efficiently, they are\ndifficult to modify and update.51\n\nIn the past, we have stated that \xe2\x80\x9c. . . information systems are a key factor in the\nAgency\xe2\x80\x99s ability to carry out its initiatives. As such, the planning, management, and\noversight of IT development has become increasingly important. In lean times,\nresources must be directed to projects that yield optimal efficiency and effectiveness.\xe2\x80\x9d52\n\nFurther, we have expressed concerns over SSA\xe2\x80\x99s ability to determine the return on\ninvestment for its IT projects. For example, as part of the Agency\xe2\x80\x99s IT planning process,\nSSA typically estimates the potential number of full-time equivalent (FTE) positions and\nrelated dollar savings that will result by implementing IT projects. In 2008, we reported\nthat the projected dollar savings for SSA\xe2\x80\x99s IT projects were significant\xe2\x80\x94ranging from\n$10 to $20 billion over a 7-year period.53 However, we noted that these estimates may\nnot have been realistic and did not appear to reconcile with SSA\xe2\x80\x99s annual productivity\nstatistics.54 Moreover, we reported that the Agency did not determine whether its major\nIT projects had delivered overall functionality and cost savings after implementation, as\n\n\n48\n     SSA, Information Technology Vision, 2009-2014, p. 3.\n49\n     See Footnote 34.\n50\n     NCSSMA, Frontline, Issue 32, June 2010, p. 7.\n51\n     See Footnote 2.\n52\n  SSA OIG, Congressional Response Report: Opportunities and Challenges for the Social Security\nAdministration (A-08-09-29152), April 2009.\n53\n     Id.\n54\n     Id.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                    11\n\x0crequired by OMB.55 The report noted that SSA needed to coordinate internal efforts to\ncreate a post-implementation review process.56 In a 2010 evaluation, we found that\ndespite the Agency\xe2\x80\x99s efforts to develop a post-implementation review policy and\nprocess, SSA needed to improve that process for IT projects to enable validation of\nestimated benefits.57\n\nFederal agencies must ensure they wisely invest their scarce resources.58 Given the\ncurrent budget trend, we believe SSA\xe2\x80\x99s path seems unsustainable. Since the Agency\xe2\x80\x99s\nlegacy applications are an integral part of its IT infrastructure, we believe the Agency\nshould consider the cost of maintaining its systems as part of developing a system\nmodernization roadmap to ensure maximum cost-efficiency as it moves forward.\n\nLOSS OF INSTITUTIONAL LEGACY PROGRAMMING KNOWLEDGE\n\nIn addition to aging computer systems, SSA\xe2\x80\x99s Strategic Plan, Fiscal Years 2008-2013,\nlists the loss of institutional knowledge as one of the Agency\xe2\x80\x99s greatest challenges.59\nSSA\xe2\x80\x99s systems have evolved over decades, and the age and complexity of these\nsystems increases the risk the Agency will lose institutional knowledge as it faces a\nretirement wave.\n\nWhile the risk of losing institutional knowledge exists regardless of whether the Agency\nmodernizes its legacy applications, a Gartner briefing60 indicated that, often, only a few\nsenior individuals understand the programming of COBOL systems. Even under the\nbest-case scenario, partial system documentation exists that may be difficult to\nunderstand.61 This is particularly relevant at SSA, where the Agency stated that the\nadditive nature of business rules has led to increasingly complex systems with limited\ndocumentation. For example, in an April 2011 report,62 we noted that, while key\npersonnel have informally maintained institutional knowledge for one application, lack of\ncomplete, up-to-date documentation and established processes could affect continuity\n\n55\n  SSA OIG, Social Security Administration\xe2\x80\x99s Management of Information Technology Projects\n(A-14-07-17099), July 2007.\n56\n     Id.\n57\n SSA OIG, Quick Response Evaluation: The Social Security Administration\xe2\x80\x99s Post-Implementation\nReview Process (A-14-10-30105), June 2010.\n58\n  OMB Circular Number A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital\nAssets, July 2010, Section 300.3.\n59\n     SSA, Strategic Plan, Fiscal Years 2008-2013, p. 29.\n60\n     See Footnote 2.\n61\n     Id.\n62\n  SSA OIG, Cost Analysis System Background Report and Viability Assessment (A-15-10-20149),\nApril 2011.\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                     12\n\x0cof operations if these personnel leave SSA. We also found that during SSA\xe2\x80\x99s\nenumeration system redesign, the Agency identified lack of documentation as a\nsignificant risk.\n\nA March 2012 article63 expressed concerns similar to those identified at SSA. The\narticle indicated that while some of the world\xe2\x80\x99s largest corporations still use COBOL,\nCOBOL programmers are aging and retiring. One IT executive from a top financial\ninstitution expressed concern that as programmers retire, the company will lose the\ndeep understanding of business logic in its COBOL programs. The article further stated\nthat in some organizations, decades of changes have rendered COBOL programs so\ncomplex that even experienced programmers cannot understand the code.\n\nIn response to our inquiries, the Office of Systems (OS) indicated that 55 of its COBOL\nprogrammers64 separated from the Agency in FYs 2009 and 2010. During our review,\nOS had 991 programmers with COBOL skills.65 OS projected the retirement of roughly\n100 individuals each FY between 2011 and 2015; however, it could not project the\nnumber of retirees with COBOL programming skills.\n\nOS stated that it uses numerous methods to minimize the loss of institutional knowledge\nas programmers retire. These methods include\n\n\xef\x82\xb7     COBOL\xe2\x80\x99s self-documenting nature;\n\xef\x82\xb7     comments embedded in COBOL code;\n\xef\x82\xb7     classroom and on-the-job training;\n\xef\x82\xb7     mentoring programs;\n\xef\x82\xb7     assigning multiple analysts and programmers for applications; and\n\xef\x82\xb7     transferring application responsibility before an impending retirement.\n\nSSA has methods in place to minimize the loss of institutional knowledge due to\nCOBOL programmer retirements. However, we are concerned that new SSA\nprogrammers may lack the required expertise and understanding of complex business\nrules used in SSA systems.66 SSA\xe2\x80\x99s Strategic Human Capital Plan does not address\nthis issue of retiring COBOL programmers.67\n\n\n63\n   Robert L. Mitchell, Brain drain: Where COBOL systems go from here, COMPUTERWORLD, March 14,\n2012. As of the date of this report, the article can be found at\nhttp://www.computerworld.com/s/article/9225079/Brain_drain_Where_Cobol_systems_go_from_here_?ta\nxonomyId=154&pageNumber=1.\n64\n     OS defined COBOL programmers as having skills across multiple disciplines, including COBOL.\n65\n     The Agency was unable to provide the number of COBOL programmers outside of OS.\n66\n     New SSA programmers may have had experience with SSA systems as contractors.\n67\n     SSA, Social Security Administration Strategic Human Capital Plan, FY 2009-2011.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                      13\n\x0cSome reports have expressed concern regarding the availability of COBOL\nprogrammers and training.68 In addition, two Fortune 500 CIOs with whom we spoke\nnoted a potential challenge in maintaining a COBOL workforce.69 We also searched the\ncourse offerings of the top 10 computer science universities in the United States.70 We\nidentified only one university that offered a specific COBOL course.\n\nHowever, our review also found that during the past several years, at least\n50 universities and colleges in the United States have added COBOL to their\ncurriculums. International Business Machines (IBM) Corporation also offers several\nCOBOL classes, and SSA performs its own in-house COBOL training.\n\nSSA stated, to date, it has been able to hire and train sufficient COBOL programmers to\nmeet their needs, and it does not project any shortfalls in COBOL skills. However, we\nare concerned that legacy system programmer retirements and insufficient system\ndocumentation will increase the Agency\xe2\x80\x99s mission risk. Consequently, the Agency\nshould consider the loss of institutional legacy programming knowledge as it develops\nits system modernization roadmap. Moreover, the Agency should ensure its human\ncapital plan addresses the loss of COBOL programmers and explains how to maintain\nCOBOL expertise and institutional knowledge transfer to new programmers.\n\nLACK OF INTEGRATED BUSINESS PROCESSES\n\nSSA\xe2\x80\x99s Strategic Plan, Fiscal Years 2008-2013, states that the Agency\xe2\x80\x99s field offices\ncannot accommodate growing workloads and responsibilities unless the Agency\nincreases automation wherever possible and offers more modern service delivery\nchannels.71 The Plan also indicates that the Agency\xe2\x80\x99s legacy computer systems will\nmake it increasingly difficult to implement new business processes and service delivery\nmodels unless SSA makes necessary and immediate updates.72 The Agency stated\n\n68\n  National Research Council of the National Academies\xe2\x80\x99 August 6, 2007 report, Social Security\nAdministration Electronic Service Provision, A Strategic Assessment, stated that it was \xe2\x80\x9c. . . unclear how\neasy it will be to continue to find expertise in more-generic but increasingly obsolete software\ntechnologies such as the COBOL programming language.\xe2\x80\x9d SSAB\xe2\x80\x99s April 2009 report, Bridging the Gap:\nImproving SSA\xe2\x80\x99s Public Service Through Technology, stated, \xe2\x80\x9cSSA must rely on in-house training in\nCOBOL for its programmers because they are no longer able to learn these skills outside of the agency.\xe2\x80\x9d\n69\n  For our review, we inquired with 27 Fortune 500 banks and insurance companies regarding their\nCOBOL strategies. Of the 27, we received 4 responses. One CIO responded that it was difficult to find\ngraduates after the year 2000 who knew COBOL. Another CIO stated that the greatest challenge he saw\nrelated to COBOL was finding individuals to write and maintain the code. We also received a response\nthat did not mention availability of COBOL training and a response indicating that the company did not\nuse COBOL. See Appendix B for more information.\n70\n   The top ten computer science universities in the United States are based on rankings by U.S. News &\nWorld Report. As of the date of this report, this ranking was available at\nhttp://www.usnews.com/education/worlds-best-universities-rankings/best-universities-computer-science.\n71\n     SSA, Strategic Plan, Fiscal Years 2008-2013, p. 33.\n72\n     Id.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                           14\n\x0cthat it has made those updates by implementing a service-oriented architecture and a\nreusable framework that has allowed it to leverage legacy assets with modern\nprogramming languages. In addition, SSA stated it has adopted a practice to migrate its\nsoftware to service-oriented architecture and plans to gradually eliminate existing stove-\npiped applications.73\n\nIn May 2010, FSTAP reported that SSA\xe2\x80\x99s systems covered a wide array of technologies\nand programming languages, which includes COBOL. In many instances, these\nsystems did not integrate well, causing significant inefficiencies in business operations\nand the operations and maintenance of the IT application environment.74 SSA stated\nthat these integration issues resulted from conscious investment decisions and that the\nprogramming language used is not a factor in the lack of integration.\n\nOUTDATED USER INTERFACES\n\nSSA identified its use of green-screen interfaces as a limitation of the Agency\xe2\x80\x99s legacy\napplications. These user interfaces were predominantly used in the 1970s and 1980s.\nHowever, users now find Web-based user interfaces more familiar and simpler to\nnavigate.75 SSA stated that conversion from green-screen user interfaces to Web-\nbased interfaces would result in a shorter learning curve for its employees.76 The\nAgency faces a major retirement wave,77 and a shorter learning curve would assist SSA\nas it trains new employees to manage future increasing workloads. The Agency plans\nto modernize its green-screen applications with Web-based interfaces; however, the\ntarget implementation date for the modernization of systems processing OASDI and SSI\nis beyond the Agency\xe2\x80\x99s IT Vision of 2014.\n\nSSA DOES NOT HAVE A STRATEGIC PLAN TO CONVERT ITS\nLEGACY APPLICATION PROGRAMS TO A MORE MODERNIZED\nPROGRAMMING LANGUAGE\nSSA\xe2\x80\x99s responses to our inquiries state that it plans to modernize its legacy IT\napplications as opportunities arise and funding allows. However, the Agency does not\nhave a strategic plan to modernize its legacy IT environment.\n\n\n\n\n73\n     SSA, Enterprise Architecture Transition Strategy for 2011 Through 2016, pp. 10 and 35.\n74\n     See Footnote 18.\n75\n     SSA, Information Technology Vision, 2009-2014, p. 17.\n76\n     Id at p. 18.\n77\n  SSA\xe2\x80\x99s Strategic Plan, Fiscal Years 2008-2013, indicates that over 53 percent of SSA\xe2\x80\x99s workforce will\nbe eligible to retire by FY 2017.\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                            15\n\x0cOMB requires that an agency\xe2\x80\x99s EA describe its target architecture and act as a roadmap\nto transition to its target environment.78 Furthermore, Federal guidance includes IT\nmodernization as part of an agency\xe2\x80\x99s EA process.79 Although SSA\xe2\x80\x99s EA transition\nstrategy80 identifies a target IT architecture, the strategy only extends to 2016. But, LM\nestimated it would conservatively take 10 to 15 years to redevelop the Agency\xe2\x80\x99s legacy\napplications. Additionally, SSA\xe2\x80\x99s IT Vision81 only extends to 2014. Neither document\ndiscusses legacy application modernization in detail.\n\nOMB requires that agencies effectively perform and integrate strategic planning and EA\nto improve agency performance.82 SSA has indicated that legacy application\nmodernization will ultimately reduce operating costs and improve service delivery;\nhowever, the Agency does not have a documented roadmap to modernize its legacy\napplications. For example, SSA has not established a target schedule or estimated the\nresources required to modernize its legacy applications. In addition, we (and others)\nhave reported that SSA generally lacked long-term strategic planning for IT systems\nmodernization.\n\n\xef\x82\xb7     In April 2009, SSAB stated that the Agency should develop a comprehensive\n      systems modernization plan and a strategic vision beyond 2020.83\n\xef\x82\xb7     In a June 2009 report,84 we stated that SSA\xe2\x80\x99s IT strategic planning documents were\n      short-term tactical plans that generally did not provide a detailed description of how\n      the Agency intends to address its future IT needs.\n\xef\x82\xb7     In May 2010, FSTAP recommended that SSA consider developing a comprehensive\n      Agency-wide strategic systems development roadmap, including a high-level view of\n      a realistic future state and a plan to achieve this vision.85\n\n\n\n78\n     See Footnote 25.\n79\n     See Footnote 26.\n80\n     See Footnote 31.\n81\n     SSA, Information Technology Vision, 2009-2014.\n82\n  Agency EA programs are one of several practice areas that must be effectively executed to achieve\nimprovements in agency mission performance and other measurement areas. To achieve target\nperformance improvements, other practice areas - such as strategic planning, capital planning and\ninvestment control, and program and project management - must be strong and fully integrated with an\nagency EA practice. OMB, Improving Agency Performance Using Information and Information\nTechnology (Enterprise Architecture Assessment Framework v3.1), June 2009, p. 3.\n83\n     See Footnote 5.\n84\n  SSA OIG, Congressional Response Report: The Social Security Administration\xe2\x80\x99s Information\nTechnology Strategic Planning (A-44-09-29120), June 2009.\n85\n     See Footnote 18.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                          16\n\x0c\xef\x82\xb7     In March 2011, the SSAB published a future vision for SSA.86 This report states that\n      transforming the Agency\xe2\x80\x99s current systems infrastructure into a modern technology\n      platform requires a more aggressive and strategic systems modernization plan. The\n      report also stated that the lack of a longer range vision results in planning that is\n      piecemeal, crisis-directed, and ultimately, more costly.\n\nFurthermore, in December 2011, the Federal CIO at OMB expressed concern that\nagencies often pay more over the long term to maintain old technology and encounter\nsudden funding challenges when those systems can no longer operate. He also\nindicated that the Government needs to find a way of reducing IT maintenance costs to\nfund new development.87\n\nStrategic planning for legacy systems modernization would asist SSA in properly\naddressing the factors discussed above and ensure scarce Government resources are\nused wisely and efficiently. Strategic planning helps organizations define an overall\nmission and focus on objectives. Moreover, it provides better awareness of needs and\nsets accountability standards. Finally, strategic planning allows organizations to look to\nthe future and take a proactive posture.\n\nThe Agency stated it has generally used a more gradual and evolutionary approach to\nmodernizing its systems. However, we believe that without developing a\ncomprehensive, long-term roadmap to modernize its legacy applications, SSA may not\nbe fully aware of the modernization scope and complexity, potentially resulting in a more\nchallenging and costly effort.\n\nAlthough SSA has moved forward in modernizing its IT environment, its legacy\napplications challenge the Agency\xe2\x80\x99s ability to operate efficiently and improve service\ndelivery. We believe SSA will continue facing these challenges under its current\nmodernization approach. In June 2010, a senior SSA official indicated that the\nAgency\xe2\x80\x99s legacy systems hindered its ability to meet its service delivery challenges and\nthat developing a strategic IT roadmap was among its highest priorities.88 We believe\nSSA should develop a roadmap to modernize its Iegacy applications, which should\n\xef\x82\xb7     include a target timeframe and estimated resources to modernize SSA\xe2\x80\x99s existing\n      environment;\n\xef\x82\xb7     include an in-depth analysis of projected service delivery demands and how new\n      approaches and technology can promote greater productivity while meeting\n      customer expectations for service;\n\xef\x82\xb7     position the Agency to maximize the effectiveness and cost-efficiency of its systems\n      over the long term; and\n\xef\x82\xb7     be reevaluated over time and revised as necessary.\n86\n     See Footnote 16.\n87\n     Joseph Marks, Federal CIO Pushes for New Systems, Shared Services, Nextgov, December 16, 2011.\n88\n     NCSSMA, Frontline, Issue 32, June 2010, p. 7.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                    17\n\x0c                                                 Conclusions and\n                                                Recommendations\nSSA does not have a strategic plan to convert its legacy application programs to a more\nmodernized programming language. Also, SSA\xe2\x80\x99s human capital plan does not\nadequately provide for continuity of trained COBOL programmers. The Agency has\ndeveloped an approach to gradually reduce its reliance on COBOL for its core\nprocessing of program transactions, such as retirement and disability claims. However,\nwe could not determine whether this approach has resulted in any efficiencies or cost\nsavings. We believe that the Agency\xe2\x80\x99s approach has been tactical, rather than\nstrategic, and that more needs to be done to develop a documented roadmap for\nmodernizing its legacy applications.\n\nSSAB has stated that, despite the measured steps SSA has taken to move systems\ndevelopment forward, a more aggressive and strategic system modernization plan is\nessential to transform the Agency\xe2\x80\x99s current systems infrastructure into a modern\ntechnology platform.89 Additionally, FSTAP recommended that SSA consider\ndeveloping a comprehensive Agency-wide strategic systems development roadmap that\nfocused on the Agency\xe2\x80\x99s customers and costs.90\n\nSSA\xe2\x80\x99s legacy applications are an integral part of its IT infrastructure and service\ndelivery. While the following factors are not unique to COBOL, the Agency should\nconsider, at a minimum (1) projected future service delivery demands; (2) growth of IT\nand maintenance costs; (3) loss of institutional legacy programming knowledge; (4) lack\nof integrated business processes; and (5) outdated user interfaces as it develops a\nsystems modernization roadmap that includes legacy applications programmed in\nCOBOL.\n\nSSA has indicated that legacy application modernization will reduce operating costs and\nimprove service delivery. However, SSA provided no documentation that its current\nmodernization approach created additional efficiencies or stabilized its service delivery\ncosts. In an environment in which workloads are growing and budgets are constrained,\na long-term roadmap to modernize SSA\xe2\x80\x99s legacy applications is needed to address\nmodernization needs, set accountability standards and position the Agency to meet\nfuture service delivery challenges. We believe such planning would assist SSA to use\nits resources more effectively and efficiently and meeting projected service delivery\ndemands.\n\n\n\n\n89\n     See Footnote 16.\n90\n     See Footnote 18.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                          18\n\x0cAccordingly, we recommend that SSA:\n\n1. Develop a comprehensive, long-term strategic plan to modernize SSA\xe2\x80\x99s legacy\n   applications. This plan should\n\n   a. include a target timeframe and estimated resources to modernize SSA\xe2\x80\x99s existing\n      environment;\n   b. include an in-depth analysis of projected service delivery demands and how new\n      approaches and technology can promote greater productivity while meeting\n      customer expectations for service;\n   c. position the Agency to maximize the effectiveness and cost-efficiency of its\n      systems over the long-term; and\n   d. be reevaluated over time and revised as necessary.\n\n2. Ensure its human capital plan addresses the loss of COBOL programmers and\n   identifies how to maintain COBOL expertise and institutional knowledge transfers to\n   new programmers.\n\nAGENCY COMMENTS\nSSA agreed with our first recommendation. However, the Agency disagreed with our\nsecond recommendation, stating it already conducts very thorough workforce planning.\nSSA further stated that when, and if, COBOL programming skills appear in its analyses\nas a legitimate risk, it will articulate appropriate remediation in its Human Capital Plan.\nThe full text of the Agency\xe2\x80\x99s comments is included in Appendix D.\n\nOIG RESPONSE\nThe Agency\xe2\x80\x99s COBOL applications process SSA\xe2\x80\x99s core workloads and have increased\nin complexity over time. Although SSA stated it does not project any shortfalls in\nCOBOL skills, we reiterate our concern that legacy system programmer retirements and\ninsufficient system documentation will increase the Agency\xe2\x80\x99s mission risk.\nConsequently, SSA should ensure its human capital plan addresses the loss of COBOL\nprogrammers and identifies how to maintain COBOL expertise and institutional\nknowledge transfers to new programmers.\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                             19\n\x0c                                          Appendices\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)\n\x0c                                                          Appendix A\n\nAcronyms\nAPM      Application Portfolio Management\nCIO      Chief Information Officer\nCOBOL    Common Business Oriented Language\nEA       Enterprise Architecture\nFSTAP    Future Systems Technology Advisory Panel\nFY       Fiscal Year\nIRM      Information Resources Management\nIT       Information Technology\nLM       Lockheed Martin\nNCSSMA   National Council of Social Security Management Associations\nOASDI    Old-Age, Survivors and Disability Insurance\nOMB      Office of Management and Budget\nOS       Office of Systems\nOTA      Office of Technology Assessment\nSMP      Systems Modernization Plan\nSSA      Social Security Administration\nSSAB     Social Security Advisory Board\nSSI      Supplemental Security Income\nVA       Department of Veterans Affairs\n\x0c                                                                                    Appendix B\n\nWho Uses Common Business Oriented\nLanguage?\nFor our review, we examined the use of Common Business Oriented Language\n(COBOL) by other Federal agencies and top private companies with business\nprocesses similar to the Social Security Administration\xe2\x80\x99s (SSA). The following sections\ncontain our results of how the private and public sectors use COBOL and their plans for\nmodernization of COBOL systems and applications.\n\nPRIVATE SECTOR\n\nIn the private sector, the technology strategies of large insurance companies and banks\nwere most comparable to those of SSA.1 Therefore, we inquired with 27 Fortune\n500 banks and insurance companies regarding their COBOL strategies. We received\nresponses from three information technology (IT) executives.2 In addition, we reviewed\nother COBOL studies conducted by external entities. In a 2011 assessment, Forrester\nConsulting3 interviewed an IT executive at three of the largest financial services firms in\nNorth America. From these interviews, Forrester found that the financial services\nindustry was using COBOL. Our inquiries produced results similar to those of Forrester.\nFollowing is a summary of how and why these companies continue to use COBOL.\n\nOverall, the six IT executives contacted indicated that COBOL remained important to\ntheir industries. For example, we spoke to a Vice President at a Fortune 500 insurance\ncompany. He stated that applications at his insurance company run on COBOL.\nFurthermore, we spoke to two Chief Information Officers with Fortune 500 companies.\nOne stated that the financial industry uses COBOL, and the other stated he expected\norganizations to use COBOL for decades.\n\nThe IT executives provided several reasons to support their organizations\xe2\x80\x99 continued\nuse of COBOL. First, they saw no alternative language capable of processing the\nenormous volumes of online and batch transactions. Furthermore, they noted that a\nreplacement effort would take many years and significant resources. Finally, the IT\nexecutives saw little business value for such a replacement effort. However, most of\nthe IT executives stated that their companies used programming languages other than\nCOBOL for new development.\n1\n  Like SSA, these firms had large volumes of batch and online transactions, strict data protection\nrequirements, and complex systems that had been refined over decades.\n2\n  All three responses were from insurance companies. We received a fourth response from a public\nrelations specialist indicating that her company does not use COBOL.\n3\n Forrester Consulting, Assessment of the Social Security Administration\xe2\x80\x99s Use of COBOL and\nMainframes, February 2011. SSA commissioned this study.\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                        B-1\n\x0cOTHER FEDERAL AGENCIES\n\nWhile most Federal agencies used COBOL in some capacity, some agencies relied\nheavily on COBOL for their IT systems, including the Departments of Veterans Affairs\n(VA), Agriculture, and Energy.4 We found limited strategic planning efforts by Federal\nagencies to modernize their COBOL legacy systems\n\nIn reviewing the IT plans of other Federal agencies, we found that most did not\nspecifically mention COBOL. However, the plans did discuss IT modernization. A\ncommon theme was the reuse and leverage of code via service-oriented architecture.5\nFor example, the Department of Health and Human Services noted the reuse of existing\nservices and components will reduce software development time and cost.\n\nThe VA also plans to modernize its IT environment incrementally with an emphasis on\nefficiency. VA\xe2\x80\x99s Chief Information Officer indicated that its COBOL systems limit the\nVA\xe2\x80\x99s ability to use newer technology.\n\n\n\n\n4\n Brian Robinson, COBOL Remains Old Standby at Agencies Despite Showing its Age, Federal Computer\nWeek, July 9, 2009.\n5\n Planning documents for VA and the Departments of Health and Human Services, Education, and\nHousing and Urban Development all indicated a strategy to move towards a service oriented architecture.\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                      B-2\n\x0c                                                                       Appendix C\n\nScope and Methodology\nOur review focused on the use of the Common Business Oriented Language (COBOL)\nin private industry, the Government, and the Social Security Administration (SSA). Our\nscope included\n\xef\x82\xb7   COBOL strategies and usage of Fortune 500 companies and other Federal\n    agencies;\n\xef\x82\xb7   SSA's COBOL and non-COBOL applications; and\n\xef\x82\xb7   SSA's planning to convert its legacy application programs to a more modernized\n    programming language.\n\nTo determine whether SSA has a strategic plan to convert its legacy application\nprograms to a more modernized programming language, we:\n\n\xef\x82\xb7   Reviewed the following criteria:\n       o   The Clinger-Cohen Act of 1996, as amended, 40 U.S.C. 11315;\n       o   The Paperwork Reduction Act of 1995, as amended, 44 U.S.C. 3506;\n       o   Office of Management and Budget (OMB) Circular A-130;\n       o   OMB\xe2\x80\x99s Improving Agency Performance Using Information and Information\n           Technology (Enterprise Architecture Assessment Framework v3.1);\n       o   OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition, and\n           Management of Capital Assets; and\n       o   Chief Information Officer Council\xe2\x80\x99s, A Practical Guide to Federal Enterprise\n           Architecture, February 2001;\n\xef\x82\xb7   Inquired with SSA\xe2\x80\x99s Office of Systems.\n\xef\x82\xb7   Interviewed staff from SSA\xe2\x80\x99s Office of the Chief Information Officer.\n\xef\x82\xb7   Obtained the system modernization strategies for SSA and other Federal agencies,\n    related assessments and documentation.\n\xef\x82\xb7   Reviewed assessments of SSA\xe2\x80\x99s IT modernization.\n\xef\x82\xb7   Identified risks and limitations of SSA\xe2\x80\x99s system modernization approach.\n\xef\x82\xb7   Analyzed SSA\xe2\x80\x99s system modernization approach.\n\xef\x82\xb7   Examined SSA\xe2\x80\x99s proportion of system development resources to system\n    maintenance resources.\n\xef\x82\xb7   Assessed industry support for COBOL and determined how it is monitored by SSA.\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                             C-1\n\x0c\xef\x82\xb7   Contacted Fortune 500 companies and other Government agencies regarding their\n    COBOL strategies.\n\xef\x82\xb7   Identified benefits of strategic planning.\n\nWe performed our audit at SSA Headquarters from January through August 2011. We\nconducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objectives. We believe the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                       C-2\n\x0c                                                                Appendix D\n\nAgency Comments\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)\n\x0c                                       SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:   April 18, 2012                                                          Refer To: S1J-3\n\nTo:     Patrick P. O\xe2\x80\x99Carroll, Jr.\n        Inspector General\n\nFrom:   Dean S. Landis /s/\n        Deputy Chief of Staff\n\nSubject: Office of the Inspector General Draft Report, \xe2\x80\x9cThe Social Security Administration's Software\n        Modernization and Use of Common Business Oriented Language\xe2\x80\x9d (A-14-11-11132)\xe2\x80\x94\n        INFORMATION\n\n        Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n        Please let me know if we can be of further assistance. You may direct staff inquiries to\n        John Biles at (410) 965-3758.\n\n        Attachment\n\n\n\n\n        SSA's Software Modernization and Use of COBOL (A-14-11-11132)                                   D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION'S SOFTWARE MODERNIZATION\nAND USE OF COMMON BUSINESS ORIENTED LANGUAGE\xe2\x80\x9d (A-14-11-11132)\n\n\nGENERAL COMMENTS\n\nThank you for revising the report based on the exit conference discussion and our supplemental\nwritten comments. While you improved the accuracy of the report from previous drafts, the\nprimary problem remains: The body of the report is a collection of facts and anecdotes that do\nnot logically lead to the recommendations. In addition, aspects of the report are no longer\ncurrent.\n\nThe report contains fundamental flaws with respect to information technology (IT) costs. IT\nspending has not grown substantially as a proportion of our administrative costs, and by common\nbenchmarks such as IT spending in comparison to revenue, we are extremely thrifty.\n\nWhile our overall IT costs have grown, among many other advancements, we added a fully\nprovisioned second data center; accelerated improvement of our public Internet service channel;\nmade extensive advances in disability IT systems; and managed significant computing demand\ngrowth while continuing to provide highly available and secure IT service to our employees and\nthe American public. We do an excellent job keeping our overall IT infrastructure safe, current,\nand optimized.\n\nThe report implies our annual administrative expenses per Old Age Survivors and Disability\nInsurance (OASDI) beneficiary should decrease as IT spending increases. This assumption\nignores the fact that IT spending is not the sole driver of administrative costs. Many other\nfactors unrelated to IT significantly affect our administrative expenses, including payroll costs,\nworkloads, energy, rent, security guards, and mission expansion.\n\nWe also disagree that administrative spending per OASDI beneficiary/Supplemental Security\nIncome recipient is a valid reflection of change in our administrative efficiency. Far more than\nhalf of our administrative costs go to processing new claims and appeals\xe2\x80\x94workloads that are not\nproportional in volume to the number of beneficiaries and recipients. In addition, notable\namounts of our administrative costs go toward enumeration and annual wage reporting\nprocesses. These workloads have no correlation whatsoever to the number of beneficiaries and\nrecipients.\n\nIt is clear that IT is a key driver of both our productivity and performance successes. Facts show\nthat our measured productivity grew substantially during the last decade, and we achieved\nsignificant service delivery successes despite the growth in demand for our services.\n\nGiven the complexities of our mission, our high degree of automation, and the age of our\norganization, we have a large and diverse catalog of software. Our overall strong systems\nperformance shows that our software works and reflects a significant, multi-decade investment\nof taxpayer dollars. Our costs to maintain this software are remarkably flat.\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                    D-2\n\x0cWe select new IT investments in software primarily because of business goals. When we\ndevelop software to support business goals, we use that opportunity to modernize our systems.\nOn a separate track, we also review each of our software applications annually and make a\ntechnical judgment about increasing risk of performance issues and the potential for failure. If\ntechnical risk grows too high with any software application, we initiate a modernization project\n(irrespective of business goals).\n\nRESPONSE TO RECOMMENDATIONS\n\nRecommendation 1\n\nDevelop a comprehensive, long-term strategic plan to modernize SSA\xe2\x80\x99s legacy applications.\nThis plan should\n   a. include a target timeframe and estimated resources to modernize SSA\xe2\x80\x99s existing\n       environment;\n   b. include an in-depth analysis of projected service delivery demands and how new\n       approaches and technology can promote greater productivity while meeting customer\n       expectations for service;\n   c. position the Agency to maximize the effectiveness and cost-efficiency of its systems over\n       the long-term; and\n   d. be reevaluated over time and revised as necessary.\n\nResponse\n\nWe agree. This recommendation is consistent with current guidance from the Office of\nManagement and Budget regarding the Federal Enterprise Architecture framework. We also\nexpect to issue a current Information Resource Management Strategic Plan within the next\nmonth.\n\nRecommendation 2\n\nEnsure its human capital plan addresses the loss of COBOL programmers and identifies how to\nmaintain COBOL expertise and institutional knowledge transfers to new programmers.\n\nResponse\n\nWe disagree. We already conduct very thorough workforce planning. When and if COBOL\nprogramming skills appear in our analyses as a legitimate risk, then we will articulate appropriate\nremediations in our Human Capital Plan.\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)                                  D-3\n\x0c                                                                         Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Brian Karpe, Director, Information Technology Audit Division\n   Grace Chi, Audit Manager\n\nAcknowledgments\nIn addition to those named above:\n\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-14-11-11132.\n\n\n\n\nSSA's Software Modernization and Use of COBOL (A-14-11-11132)\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                     Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of\nInvestigations (OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations\n(OER), and Office of Technology and Resource Management (OTRM). To ensure compliance with\npolicies and procedures, internal controls, and professional standards, the OIG also has a comprehensive\nProfessional Responsibility and Quality Assurance program.\n                                             Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs\nand operations and makes recommendations to ensure program objectives are achieved effectively and\nefficiently. Financial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial\nposition, results of operations, and cash flow. Performance audits review the economy, efficiency, and\neffectiveness of SSA\xe2\x80\x99s programs and operations. OA also conducts short-term management reviews and\nprogram evaluations on issues of concern to SSA, Congress, and the general public.\n                                       Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and\noperations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA\nemployees performing their official duties. This office serves as liaison to the Department of Justice on\nall matters relating to the investigation of SSA programs and personnel. OI also conducts joint\ninvestigations with other Federal, State, and local law enforcement agencies.\n                        Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative\nmaterial. Also, OCIG administers the Civil Monetary Penalty program.\n                                    Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news\nreleases and in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media\nand public information policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the\nprimary contact for those seeking information about OIG. OER prepares OIG publications, speeches, and\npresentations to internal and external organizations, and responds to Congressional correspondence.\n                       Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also\ncoordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In\naddition, OTRM is the focal point for OIG\xe2\x80\x99s strategic planning function, and the development and\nmonitoring of performance measures. In addition, OTRM receives and assigns for action allegations of\ncriminal and administrative violations of Social Security laws, identifies fugitives receiving benefit\npayments from SSA, and provides technological assistance to investigations.\n\x0c"